From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 9B3241FF142 for ; Fri, 05 Jun 2026 13:48:49 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 73128176CD; Fri, 5 Jun 2026 13:48:49 +0200 (CEST) From: Lukas Sichert To: pve-devel@lists.proxmox.com Subject: [RFC manager/network 0/3] fix #5066: make generated snat rules flushable Date: Fri, 5 Jun 2026 13:48:01 +0200 Message-ID: <20260605114810.43030-1-l.sichert@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1780660055245 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.307 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: FHM2H36SREREPCBPRHPUC5WHPKAEDCXE X-Message-ID-Hash: FHM2H36SREREPCBPRHPUC5WHPKAEDCXE X-MailFrom: l.sichert@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Lukas Sichert X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: When creating a subnet with SNAT enabled and applying the changes, then afterwards disabling SNAT and applying the changes again, the iptables POSTROUTING rule still persists. This is because ifreload -a only executes (post/pre-)down hooks when an interface is removed from /etc/network/interfaces, while the (post/pre-)up hooks are always executed [1]. As a result, the SNAT rule is not removed by 'ifreload -a' and only a restart or 'ifdown' will remove it. This series moves generated SDN SNAT rules into a dedicated 'PROXMOX-SDN' chain in the iptables nat table and adds a jump from POSTROUTING to that chain. This keeps the generated rules separate from custom rules added by users or other components. The dedicated chain can then be flushed during network reload, removing stale SDN SNAT rules without touching unrelated POSTROUTING rules. As this changes the generated /etc/network/interfaces.d/sdn output, the expected test output is adjusted accordingly. This series applies on top of https://lore.proxmox.com/all/20260603142921.91174-1-l.sichert@proxmox.com/ [1] manpages.debian.org/testing/ifupdown2/ifreload.8.en.html network: Lukas Sichert (2): fix #5066: snat: push evpn snat rules into separate iptables chain fix #5066: snat: push simplezone snat rules into separate iptables chain src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 15 +++++++++++++-- src/PVE/Network/SDN/Zones/SimplePlugin.pm | 18 +++++++++++++++--- .../evpn/exitnode_snat/expected_sdn_interfaces | 16 ++++++++++++---- .../simple/ipv4snat/expected_sdn_interfaces | 8 ++++++-- .../simple/ipv6snat/expected_sdn_interfaces | 8 ++++++-- 5 files changed, 52 insertions(+), 13 deletions(-) manager: Lukas Sichert (1): fix #5066: reload networking: flush PROXMOX-SDN iptables chain at reload .codex | 0 PVE/API2/Network.pm | 3 +++ 2 files changed, 3 insertions(+) create mode 100644 .codex Summary over all repositories: 7 files changed, 55 insertions(+), 13 deletions(-) -- Generated by murpp 0.12.0